Add missing security context to Keystone pods/containers
This updates the Keystone chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true. Change-Id: I2ac3a4efa6798e263de19f0db444f37c5236d121
This commit is contained in:
DODDA, PRATEEK REDDY
parent
6027ac0c0c
commit
cba3deb94e
@ -67,6 +67,7 @@ spec:
|
||||
{{ dict "envAll" $envAll "podName" "keystone-credential-setup" "containerNames" (list "keystone-credential-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
{{ dict "envAll" $envAll "application" "credential_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "credential_setup" $mounts_keystone_credential_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
restartPolicy: OnFailure
|
||||
@ -76,6 +77,7 @@ spec:
|
||||
- name: keystone-credential-setup
|
||||
{{ tuple $envAll "keystone_credential_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.credential_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "credential_setup" "container" "keystone_credential_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: KEYSTONE_USER
|
||||
value: {{ .Values.jobs.credential_setup.user | quote }}
|
||||
|
||||
@ -37,6 +37,7 @@ spec:
|
||||
{{ dict "envAll" $envAll "podName" "keystone-domain-manage" "containerNames" (list "keystone-domain-manage" "keystone-domain-manage-init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
{{ dict "envAll" $envAll "application" "domain_manage" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }}
|
||||
@ -62,6 +63,7 @@ spec:
|
||||
- name: keystone-domain-manage
|
||||
{{ tuple $envAll "keystone_domain_manage" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.domain_manage | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "domain_manage" "container" "keystone_domain_manage" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
|
||||
@ -66,6 +66,7 @@ spec:
|
||||
{{ dict "envAll" $envAll "podName" "keystone-fernet-setup" "containerNames" (list "keystone-fernet-setup") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
{{ dict "envAll" $envAll "application" "fernet_setup" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
initContainers:
|
||||
{{ tuple $envAll "fernet_setup" $mounts_keystone_fernet_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
restartPolicy: OnFailure
|
||||
@ -75,6 +76,7 @@ spec:
|
||||
- name: keystone-fernet-setup
|
||||
{{ tuple $envAll "keystone_fernet_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.fernet_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "fernet_setup" "container" "keystone_fernet_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
env:
|
||||
- name: KEYSTONE_USER
|
||||
value: {{ .Values.jobs.fernet_setup.user | quote }}
|
||||
|
||||
@ -172,6 +172,27 @@ pod:
|
||||
keystone_api:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
credential_setup:
|
||||
pod:
|
||||
runAsUser: 42424
|
||||
container:
|
||||
keystone_credential_setup:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
fernet_setup:
|
||||
pod:
|
||||
runAsUser: 42424
|
||||
container:
|
||||
keystone_fernet_setup:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
domain_manage:
|
||||
pod:
|
||||
runAsUser: 42424
|
||||
container:
|
||||
keystone_domain_manage:
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
affinity:
|
||||
anti:
|
||||
type:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user